How-to guide: How to protect your organization from third party liability under the FCPA (USA)

Introduction

This guide will assist in-house counsel, private practitioners and compliance teams with the steps their organization should take to reduce the risk of a violation under the United States Foreign Corrupt Policies Act of 1977, as amended, 15 U.S.C. 78dd-1 et seq. (FCPA). It explains the importance of creating a compliance methodology in dealing with third parties under the FCPA.

This guide covers the following:

Overview of legal framework
Determining who is considered a third party
Understanding theories of liability under which a company can be held liable for third party actions
Specific measures to protect your organization
Signs and red flags that a third party is violating the FCPA

This guide can be read in conjunction with How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act and Checklists: FCPA due diligence of third-party intermediaries, Anti-bribery risk assessment and What to include in an FCPA compliance program.

Section 1 – Overview of legal framework

Organizations sometimes engage third parties to assist when conducting business in foreign jurisdictions. Third parties can provide a range of business services such as reselling or distributing products, acting as a local contact in country, or shepherding goods through customs. It is important to recognize the potential risks and liability third parties and their activities present in international business transactions. Engaging third parties can create risks that may be more difficult to identify and control than those of an employee of an organization.

In order to identify issues before they become problems and thereby prevent FCPA violations, organizations must use compliance frameworks when engaging third parties and take a risk-based approach to using foreign intermediaries. Risk-based due diligence is a detailed approach used by compliance professionals to determine and implement a process to analyze potential third party risks.

1.1 Legal framework

The FCPA was enacted to prohibit certain entities and individuals from making payments to officials of foreign governments for purposes of obtaining or retaining business. The Act contains anti-bribery provisions that prohibit the corrupt use of the mail or other instrumentalities of interstate commerce to make impermissible payments, or promises to make such payments, as a bribe. The original legislation, enacted in 1977, has been deemed applicable to all US persons, as well as to certain categories of foreign securities issuers. Since the enactment of the 1998 amendments to the FCPA, these anti-bribery provisions have also also applied to firms and individuals of foreign nations that cause (whether directly or indirectly through the use of agents) an act that furthers prohibited payments within the US.

Section 2 – Determining who is considered a third party

The first step in dealing with third parties is understanding exactly who or what is considered a third party. Under the FCPA, third-party intermediaries include a broad category of organizations and companies that provide services or facilitate transactions. Companies are required to manage and continuously monitor engaged third parties to prevent FCPA violations.

Third parties can be any company or individual used by a principal company to act as an agent for business transactions. If the third party has a connection to a foreign government or official, or is owned or controlled by a foreign government, conducting additional due diligence and addressing the relationship through contractual clauses to prevent violations of anti-corruption (A-C) laws may be required.

2.1 Categories of third parties

Several types of people and companies are considered third parties, including but not limited to these high-risk categories:

agents;
consultants;
customs brokers and customs agents;
distributors;
freight forwarders;
resellers; and
joint venture partners.

Understanding potential third-party intermediaries is important because of the legal obligations that companies have in developing, managing and monitoring that business relationship. Failure to properly identify and manage the relationship with a third-party intermediary may lead to corporate liability for their imputed actions.

2.2 Unique third parties: state-owned enterprises (SOE) and royal family-owned enterprises (RFOE)

Because the FCPA broadly construes the definition of a 'foreign official,' there are two groups of particularly important third parties:

state-owned enterprises (SOE); and
royal family-owned enterprises (RFOE).

An SOE is seen in some foreign jurisdictions where the national, regional, or local government retains ownership or control over a potential third party. Due to the broad interpretation of foreign official, it may be construed that the SOE’s employees are foreign officials. See, eg, United States v. Carson, No. 8:09-00077-JVS (C.D. Cal. May 18, 2011) for a full discussion of the issue.

An RFOE exists when control of a third party rests with either a ruler of a royal family or its family member. Again, due to the broad interpretation of ‘foreign official,’ it may be construed that payments to RFOE employees are payments to foreign officials.

Because these third parties are unique as their employees could be foreign officials, it is important for organizations to take steps when making payments to prevent FCPA violations. Your organization should perform due diligence on the third parties, establish controls around payments, and spell out the specific performance within the statement of work or contract for which payment is made. In addition, establish controls around how and where to remit payments to ensure that they are made to the entity and not to an individual. In other words, since making a payment to an SOE or RFOE employee can be interpreted as a direct engagement with a foreign official, a company must take extra caution in dealing with these special types of third parties.

(See DOJ Opinion Release 20-01)

Section 3 – Understanding theories of liability under which an organization can be held liable for third party actions

It is important to understand the various theories under which your organization may be held liable for the actions of third parties. The following are theories of corporate liability in relation to the conduct of third parties.

3.1 Direct contribution

The Department of Justice (DOJ) may seek to hold an organization liable for the actions of a third party if it makes a direct contribution to corrupt behavior. In other words, if an organization directly participates in or directs an improper payment, it may be liable for the actions of the third party under the FCPA.

3.2 Authorizing third party conduct

Another means by which the DOJ may hold an organization liable for a third party’s action is if the organization authorized or assented to the conduct. If an organization authorizes (whether directly or indirectly) the third-party intermediary to make a corrupt payment or bribe to a foreign official, it may be liable for the actions of that third party. It is also important to consider that liability may exist where the organization merely provides anything of value to a third party while being aware or substantially certain that the third party will provide or promise to provide anything of value to a foreign official.

3.3 Constructive knowledge – knowledge (‘knowing’) or willful blindness

The DOJ may also hold an organization liable for an FCPA violation if it has knowledge of the third party’s actions. Knowledge of third-party conduct may be viewed as:

awareness of a third party engaging in such conduct, that such circumstance (facts or details) exists, or that a particular outcome is substantially certain to occur as a result of the corrupt conduct; or
having a firm belief that such circumstance exists or that such result is substantially certain to occur.

Organizations cannot purposefully avoid warning signals and claim that they did not ‘know’ of a third party’s illegal action under the FCPA. A high probability of knowledge that the actions of the third party could lead to corrupt payments to foreign officials is sufficient to hold organizations liable for a third party’s actions under the FCPA. Therefore, ‘conscious disregard,’ ‘willful blindness,’ or ‘deliberate ignorance’ are included in the definition of ‘knowing’ and would constitute knowledge of the third-party conduct. In other words, when the organization deliberately fails to monitor its third-party agent, the ‘head in the sand’ defense does not shield the company from liability.

For example, consider a situation in which an organization is having difficulty transporting goods across international waters due to the receiving country’s arduous customs process. The organization may employ a forwarding freight operator to assist. If that freight forwarder subsequently tells the organization not to worry because the customs officer likes imported cigars and living beyond his means, the organization cannot turn a blind eye and ignore the implication that the freight forwarder will bribe the customs officer.

3.4 Agency

Under standard agency principles, an organization may be held liable for the actions of a third party. A principal is liable for the conduct of its agents if such conduct was performed within the scope of the relationship and it somehow benefited the organization in question. Essentially, under the agency theory of respondeat superior, the DOJ would attribute the actions of the third-party agent to its principal (the organization). Furthermore, proof of an organization’s independent knowledge of intent to commit corruption is not required to hold the organization liable under traditional agency principles. Thus, where an organization exerts control over a third party’s actions, misconduct on the part of that third party may result in the organization being held liable, even where the organization did not intend to commit such misconduct.

3.5 Aiding and abetting

An organization or person who aids or abets a crime is culpable of committing that crime in the same way as the person who perpetrated it. Therefore, even if an organization or person is not directly making corrupt payments to foreign officials, or indirectly authorizing a corrupt payment to a foreign official as a bribe, they can still be held liable if they aid or abet the third party in doing so. Overall, the organization or person must have shared in the general intent to commit the crime and engaged in some affirmative conduct to be held liable under this theory. See, eg, United States v. Hoskins, 902 F.3d 69, 75 (2d Cir. 2018) (the court reasoned that aider and abettor activity would be punishable ‘to the same extent as activity of a principal’), citing United States v. Margiotta, 662 F.2d 131, 141 (2d Cir. 1981).

3.6 Conspiracy

The DOJ can hold liable a person individually, or an organization separately in its own right, for conspiring with a third party to commit a crime under the FCPA, regardless of and separate from the FCPA violation. In other words, in working in connection with a third party to commit a crime under the FCPA, the organization or person can be held liable on a separate count of conspiracy. The elements of a conspiracy are proven if the prosecution can demonstrate:

two or more persons conspired to achieve a shared objective or goal;
the objective of the agreement was illegal;
the defendant knowingly and voluntarily participated in that common agreement; and
a conspirator committed an overt act in furtherance of the unlawful objective.

(See 18 U.S.C. section 371.)

Section 4 – Specific measures to protect your organization

There are specific internal and external measures that can be taken to protect your organization from liability for a third party’s violation of the FCPA. These measures include:

4.1 Relationship with the third party

It is important to have a strong foundation and relationship established with the third party. Make sure from the outset that you set common goals with the third party and regularly communicate company policies, procedures and other compliance guidelines.

4.2 Pre-engagement due diligence

Before engaging a third party, organizations should conduct comprehensive pre-engagement due diligence using a risk-based approach. Take into consideration all aspects of the third party, such as the third party's reputation, banking and credit status, news related to the third party and its relationships with foreign officials.

Questions to ask when considering whether to engage a third party include the following:

Do the third party’s qualifications suit the role for which they are being engaged?
What is the rationale or business need for the third party’s services?
Are there any current or past red flags? If so, what was the resolution, if any?
Has the third-party company or individual ever been barred or sanctioned before?
Does the third party have a good reputation? Is there any negative local news?
Request a list of the third party’s affiliates, associates or other formal or familial relationships. Do the parties listed have good reputations?
Is there any relationship between the third party and foreign officials, Specially Designated Nationals (SDNs) or Politically Exposed Persons (PEPs)?
Has the third party been involved in litigation? If so, what was the nature of the case?
What is the third party’s complete financial history?
Do proposed contractual terms (including compensation) seem reasonable when measured against similar past engagements or standard business practices?

Standard questionnaires, tailored to potential risks that have previously been identified as part of a risk assessment, should be created and presented to potential third-party providers. The questionnaire should collect the following types of information:

location of the company;
credit history and financial status;
business details and all registrations and filings;
current contracts;
organization chart with roles and responsibilities;
business associates and affiliates;
risk assessment results;
a full background check; and
other relevant and pertinent details.

Take specific precautions and risk-mitigating measures when engaging organizations and individuals in a country with a high Corruptions Perception Index score. This can be found through the Transparency International index. Consider outsourcing this initial screening to a vendor that specializes in conducting this type of due diligence, especially when there is high risk.

See Checklist: FCPA due diligence of third-party intermediaries.

4.3 Risk assessment

Conduct risk assessments and rank all third parties based on the level of risk they present. This will help in the identification of measures to put in place to mitigate risk. Although each organization may have its own methodology, typically the FCPA risk assessment scale is low, medium, or high-level risk, or it assigns number values to different categories or levels of risk. Your organization should focus its resources on high-risk third parties and implement significant mitigating measures, such as the specific contractual terms, as set forth below.

See Checklist: Anti-bribery risk assessment.

4.4 Contract terms

The following terms are highly recommended in contracts with third parties to maintain protection from FCPA violations:

anti-bribery provisions that ensure compliance with anti-corruption laws, including a provision that ensures compliance with all local laws;
representations and warranties that the third party acknowledges receipt of and understands the organization’s compliance policies and procedures relating to anti-corruption and bribery;
audit rights providing for review of the books and records of the third party;
subcontractor extension of terms specifying that subcontractor training should be required for all subcontractors;
a clearly defined process for responding to breaches of representations or warranties (i.e., failure to properly document costs or paying an actual bribe);
dispute resolution provisions that bind the third party to your organization’s preferred method of resolving disputes. include clauses on venue and choice of law principles;
termination rights for an anti-bribery breach, to protect your organization from further FCPA violations;
covenant provisions by the third-party Intermediary to ensure that it will not violate applicable anti-bribery laws and that it will comply with all of the organization’s related policies and procedures;
indemnification rights to provide financial protection in the event a third party breaches an anti-bribery provision. In particular, the indemnification provision should state that the third party will indemnify, defend and hold the organization harmless from and against claims arising out of third party breach;
third party recordkeeping. Specifically, there should be a requirement that the third party is required to keep all records of its conduct related to the engagement, including financial records and other pertinent information to the engagement; and
a provision on regular periodic contract review is essential to keep up with company and time changes. This is especially important for high risk third parties.

4.5 Documentation system for third party information

A third party information system is a useful means of protection because it allows an organization to track the information and activity of third parties. This can be accomplished by creating a process to collect and track third party data such as documents, third party ownership information, operational procedures, anti-bribery standards and services provided.

Create online or remote data storage locations to track all levels of communications between your organization and the third party.

Consider the use of technological means such as specialized vendor software to continuously monitor the third party for debarment, trade and other sanctions, negative news (both foreign and domestic), enforcement inquiries made or actions taken, and placement on specifically designated nationals and politically exposed persons (PEP) lists.

4.6 Internal measures

The following internal steps can be taken to further protect your organization from FCPA violations due to third parties.

4.6.1 Tone from the top

Management and senior level officials within your organization should set the tone that your organization will not tolerate any bribery or corruption schemes.

Beyond vocal declarations, an effective ‘tone from the top’ is demonstrated through consistent actions, resource allocation to compliance efforts, and holding all employees, including senior leadership, accountable for compliance failures. This means actively participating in training, visibly supporting the compliance function, and ensuring that ethical conduct is rewarded, while misconduct is disciplined fairly and consistently.

4.6.2 Groups dealing with anti-bribery compliance

Creating task forces within your organization to deal specifically with anti-bribery compliance will ensure that more attention and diligence is put towards preventing an FCPA violation due to a third party action.

These specialized groups should be empowered with the necessary authority and resources to conduct thorough investigations, implement robust controls, and provide continuous oversight. Their mandate should extend beyond reactive measures to proactive risk assessments, identifying potential vulnerabilities before they escalate into violations. Regular reporting to senior leadership and the board ensures that their findings and recommendations drive strategic compliance decisions across the organization.

4.6.3 Business conduct guidelines

There should be a code of ethics and business conduct implemented internally to ensure that there is no tolerance for improperly dealing with third parties.

A robust code of conduct serves as the cornerstone of ethical operations, clearly outlining expected behaviors and prohibited activities, especially concerning interactions with third parties and government officials. Beyond mere publication, the effectiveness of these guidelines hinges on their clear communication, regular reinforcement through training, and consistent enforcement, ensuring that all employees understand their obligations and the consequences of non-compliance.

4.6.4 Direct reporting and incident management

A system for direct reporting of FCPA violations and management of those incidents is essential to mitigate risk and to work effectively with authorities during an investigation. It also helps prevent further FCPA violations.

Establishing an accessible, confidential, and well-publicized reporting mechanism, such as a whistleblower hotline, is paramount. Critically, employees and third parties must feel safe and protected when reporting concerns, without fear of retaliation. Prompt, thorough, and objective investigation of all reported incidents, coupled with appropriate disciplinary action and remediation, reinforces the organization's commitment to compliance and accountability.

4.6.5 Dissect and analyze high-risk expenditures

The majority of the FCPA risk comes from high-risk expenditures; closely monitoring such expenditures is a means of protection.

This includes not only scrutinizing the purpose and recipient of payments but also examining the entire transaction lifecycle, from initial request to final disbursement. Implementing robust approval workflows, requiring detailed justifications, and conducting periodic forensic audits of these expenditures can uncover hidden patterns of illicit payments or questionable expenses, significantly enhancing risk detection and prevention.

4.6.6 Multiple employees deal with each third party

It is important to ensure that not only one person deals with the same third party because engaging multiple employees makes it harder to conceal improper conduct. Also, require countersignatures for contracts to maintain internal controls.

Implementing a system of checks and balances, where responsibilities are segregated and multiple levels of approval are required for third-party engagements and payments, greatly reduces the opportunity for a single individual to circumvent controls. This ‘four-eyes’ principle, combined with mandatory countersignatures on all significant contracts, establishes a collaborative oversight environment that deters and detects potential misconduct more effectively.

4.6.7 Require documentation

Require documentation with invoices to make it harder to hide the true source of payments and funds.

Beyond basic invoices, organizations should demand detailed supporting documentation for all third-party expenditures, including statements of work, proofs of service delivery, travel logs, and receipts, meticulously linking each payment to a legitimate business purpose. This rigorous documentation standard not only aids in internal audits but also provides crucial evidence to demonstrate compliance and the genuine nature of transactions to regulatory authorities if an investigation arises.

4.6.8 Maintain meeting records

Keeping a record of all meetings internally can help protect your organization by showing the specific steps, including investigations and remediation, that your organization takes on a regular basis in order to comply with FCPA. It also provides transparency.

These records should be comprehensive, detailing attendees, topics discussed, decisions made, actions assigned, and deadlines. For compliance-related meetings, specifically, minutes should reflect discussions on risk assessments, policy updates, training effectiveness, and the handling of any reported concerns or potential violations, serving as a vital audit trail and tangible evidence of a functioning compliance program.

4.6.9 FCPA compliance policy and training

Organizations should have an FCPA compliance program and deliver anti-bribery information and training to internal employees and third parties on an annual basis. Organizations should also obtain an annual certification of compliance with all laws and policies. Annual certification can be processed in the following ways:

internal certifications from responsible employees to senior management or the board of directors that it has complied with all laws and specifically anti-corruption laws;
certifications from employees that they have received, read and understood the anti-corruption or FCPA policy statement; or
certifications from the third-party agent to the organization that it has complied with all laws and specifically anti-corruption or FCPA laws.

See Checklist: What to include in an FCPA compliance program.

4.7 Monitoring third parties

Continuous monitoring of third parties is one of the most important measures you can take to protect your organization from third party risk. During the engagement of third parties, issues may arise that are not related to the proposed engagement, such as debarment or allegations of misconduct made by domestic or foreign enforcement agencies or prosecutors. A continuous monitoring system should, if constructed properly, discover and alert personnel in charge of managing the third party relationship to the existence of potential red flags. Organizations should take the following steps:

conduct on-site visits, especially for the higher risk engagements and companies;
conduct periodic interviews of key third party personnel, preferably in-person, in order to fully evaluate truthfulness;
investigate fully the substance of any suspicious payments beyond the basic details; and
if applicable, oversee the organization's subsidiaries’ books and records to ensure they are complying with company policy and maintaining adequate internal controls with respect to third parties.

Consider notice provisions with audits as well. Do you want to allow a 30-day notice prior to audit, a 7-day notice, or no notice at all? The shorter the notice requirement, the greater the incentive for the third party to comply with FCPA policies.

4.8 Re-engagement due diligence

Organizations should conduct renewal or re-engagement due diligence for each third party prior to re-engagement, regardless of how well known the third party is to the organization. Steps to take include:

reconfirm all previous details regarding the third party, including ownership structure;
confirm there is still a business need for the re-engagement of the third party;
inquire as to whether the third party has hired any new employees who will work on your organization’s behalf or brought in new management personnel;
conduct education and training on compliance issues and obtain an acknowledgement of the receipt of all compliance guidance, such as policies and procedures and ethical business codes;
obtain an annual certification of compliance with all laws and policies; and
mitigate any red flags that may arise unless so severe that the relationship needs to be terminated.

4.9 Consider advice from local counsel

Lawyers local to the third party can provide a legal opinion on various aspects of the transaction and the third party contract as well as help to assess local risk factors and conduct due diligence. They can also provide background on local customs, bribery prohibitions, and other laws that may affect the relationship.

4.10 Special situations

4.10.1 Offsets, industrialization and local content rules

Offsets, industrialization, and local content rules in foreign jurisdictions may require government contractors to either invest in or hire local companies to provide services, perform as subcontractors, or receive technical or other assistance from your organization. Typically, this applies to organizations that have these obligations due to contracting with a foreign government. These rules also do not relieve an organization from its FCPA compliance requirements.

Given the unique nature of this foreign legal obligation, organizations should ensure that they conduct the appropriate levels of risk assessment and due diligence to protect against FCPA violations.

4.10.2 Revolving door rules

Generally, a revolving door policy prohibits a former public official or government employee from lobbying the same agency for a certain period after leaving employment or public office. In other words, some foreign governments impose post-employment requirements and prohibitions on former officials such as a bar on involvement in government procurement matters. In the context of FCPA and third parties, organizations should inquire whether third parties are owned by or employ a former government official.

To the extent that this situation may arise, it is important for organizations to mitigate this red flag by obtaining representations, warranties, or certifications that the subject owner or employee will not violate the limitations placed upon them by revolving door rules.

Section 5 – Signs and red flags that a third party is violating the FCPA

Finally, when completing the specific steps as outlined above, you must be on the lookout for red flags that a party may be violating the FCPA. In the FCPA Resource Guide, the DOJ and the SEC provide a list of potential red flags when an organization deals with a third party. Below are some potential red flags associated with examples of third parties.

5.1 Specific red flags

5.1.1 Consultants

requests for excessive commissions to make improper payments;
consulting agreements contain vaguely described services, which may represent an attempt to cover up improper payments; and
third-party consultants operating outside the Statement of Work. Additional work may mean additional payments not anticipated under the agreement. The additional payments may be used to offer as a bribe.

5.1.2 Distributors

unreasonably large discounts to distributors that make it possible for the reseller manufacturer to offer an improper payment, such as a kickback to buy the goods or services sold.

5.1.3 Freight forwarders

compensation arrangements based on success can incentivize a freight forwarder to make improper payments to foreign officials to ensure that cargo gets through;
existing relationships between the freight forwarder or its executives and customs personnel; and
flat fees for the freight forwarder’s services that are unsupported by invoices. This may provide freight forwarders an unreasonably high margin that could provide extra funds for bribes.

5.1.4 Customs agent and customs broker

existing ties to customs officials;
success fees for navigating cargo through customs;
any fees that are unsupported by invoices; and
contractual agreements that only vaguely describe the work the agent or broker will perform.

5.2 General red flags

General red flags include when a third party:

has a familial relation to or is closely associated with a foreign official;
is part of the transaction at the express request or insistence of a foreign official;
acts as a shell company incorporated in an offshore jurisdiction; or
requests payment to offshore bank accounts.

Overall, a third party with any red flags should be re-evaluated by reviewing all documentation and information on the third party in light of the red flag and the associated controls, whether internal or contractual. In some instances, the risk of continuing to do business with the third party may be too high, and the relationship should be severed.